RE: Now would be a good time to disable inbound RDP (or change your port)

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 19 Jul 2005 08:45:19 -0500

From most of the conversations I have around this subject, most admins
don't give a hoot about whether TLS auth/encrption is used -- they just
want to "open a port" and tunnel it through TCP 443.

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> Sent: Tuesday, July 19, 2005 8:36 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Now would be a good time to disable 
> inbound RDP (or change your port)
> 
> http://www.ISAserver.org
> 
> Hi Jim,
> 
> Yes I know that SSL has nothing to do with HTTP. The way I 
> understand the kb
> article is that you are able to use SSL for authetication 
> _and_ encryption of
> a RDP session instead of the 'normal' encryption. Is it just 
> me or is the kb
> article confusing?
> 
> Han.
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > Sent: Monday, July 18, 2005 7:12 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Now would be a good time to disable 
> > inbound RDP (or change your port)
> > 
> > http://www.ISAserver.org
> > 
> > Hi Han,
> > 
> > Actually, I won't be getting that fixed.
> > The article discusses how to change RDP services to use
> > certificate-based SSL encryption and server authentication.  It says
> > nothing about changing how the RDP protocol itself operates.
> > 
> > You're making the common, but mistaken assumption that SSL == HTTP.
> > 
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> >  
> > 
> > -----Original Message-----
> > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> > Sent: Sunday, July 17, 2005 23:32
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Now would be a good time to disable 
> inbound RDP
> > (or change your port)
> > 
> > http://www.ISAserver.org
> > 
> > Ok ..... But why does kb895433 say 'to use Transport Layer Security
> > (TLS) to
> > authenticate the terminal server and to encrypt the data 
> that is sent
> > between
> > the terminal server and the client computer' and 'You can use 
> > Microsoft
> > Windows Server 2003 Service Pack 1 (SP1) together with 
> Transport Layer
> > Security (TLS) version 1.0 to help increase terminal server 
> > security by
> > using
> > TLS for server authentication and to encrypt terminal server
> > communications.'
> > and 'This article describes how to configure Windows Server 
> > 2003 SP1 to
> > use
> > TLS 1.0 for server authentication to encrypt terminal server
> > communications.', etc.??? 
> > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > Sent: Monday, July 18, 2005 00:15
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Now would be a good time to disable 
> > > inbound RDP (or change your port)
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Sorry; this is not true.
> > > The SP1 addition only provides for SSL authentication.
> > > The remote desktop protocol is still happening over RDP.
> > > 
> > > Even if you could tunnel RDP over HTTP, you'd still have to 
> > deal with
> > > the RDP encryption within the HTTP traffic (just like RPC/HTTP).
> > > 
> > > ISA still can't see it.
> > > 
> > > -----Original Message-----
> > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> > > Sent: Sunday, July 17, 2005 8:51 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Now would be a good time to disable 
> > inbound RDP
> > > (or change your port)
> > > 
> > > http://www.ISAserver.org
> > > 
> > > In W2K3 SP1 it actually can be SSL. But can't we have RDP over SSL
> > > bridging?
> > > So to add to my ISA wish list: RDP over SSL bridging and 
> RDP layer 7
> > > filter.
> > > 
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > > Sent: Sunday, July 17, 2005 17:09
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Now would be a good time to disable 
> > > > inbound RDP (or change your port)
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > Problem:
> > > > - RDP is encrypted, just like SSL.
> > > > Without getting into the actual underpinnings of EDP (I'd 
> > > have to kill
> > > > you), you'd have to remember that an application filter 
> > > would have to
> > > > act in much the same way as an actual server/client pair 
> > (thing MMS,
> > > > RTSP).
> > > > 
> > > > This is also why FTPS isn't very functional across an ISA.
> > > > 
> > > > -----Original Message-----
> > > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> > > > Sent: Sunday, July 17, 2005 7:43 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Now would be a good time to disable 
> > > inbound RDP
> > > > (or change your port)
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > And wouldn't it be great if we had a layer 7 RDP filter 
> for ISA?!
> > > > 
> > > > > -----Original Message-----
> > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > > > Sent: Sunday, July 17, 2005 07:38
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] Now would be a good time to disable 
> > > > > inbound RDP (or change your port)
> > > > > 
> > > > > http://www.ISAserver.org
> > > > > 
> > > > > Timmy can gloat now...
> > > > > :-)
> > > > > 
> > > > > Now is a good time to make use of ISA 2004's ability to 
> > > perform PAT.
> > > > > http://go.microsoft.com/fwlink/?LinkId=50422 
> > > > > 
> > > > > Jim
> > > > > 
> > > > > All mail to and from this domain is GFI-scanned.
> > > > > 
> > > > > 
> > > > > ------------------------------------------------------
> > > > > List Archives: 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter: 
> > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ: 
> > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Other Internet Software Marketing Sites:
> > > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > > Network Security Library: http://www.secinf.net/
> > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion 
> > > > > List as: han.valk@xxxxxxxxxxxxxxx
> > > > > To unsubscribe visit 
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > > 
> > > > 
> > > > ------------------------------------------------------
> > > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: 
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Network Security Library: http://www.secinf.net/
> > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org 
> > > Discussion List as:
> > > > jim@xxxxxxxxxxxx
> > > > To unsubscribe visit 
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > 
> > > > ------------------------------------------------------
> > > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: 
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Network Security Library: http://www.secinf.net/
> > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion 
> > > > List as: han.valk@xxxxxxxxxxxxxxx
> > > > To unsubscribe visit 
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> > Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion 
> > > List as: han.valk@xxxxxxxxxxxxxxx
> > > To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: han.valk@xxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 

Other related posts:

• » Now would be a good time to disable inbound RDP (or change your port)
• » Re: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » Re: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)

1. Home
2. isalist
3. Archive
4. 07-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---